Report on the percentage of identified risks that have a defined risk mitigation plan.

UCF ID: 02042

Control Type: Actionable Reports or measurements

Status: Live

Metric guidance

Calculation: The calculation for this metric is # of identified risks that have a defined risk mitigation plan / # of identified risks.

Calculation source: No authority document source of information exists. The following formula was used: the number of identified risks that have been assigned a fix or control to mitigate the risk from occurring divided by the total number of risks that where identified during risk analyses for each business unit (or the organization as a whole) during the reporting period.

The Common Control IDs associated with this metric are as follows:

Prioritize and select safeguards based on the risk assessment findings. [UCF Control ID 00707]

Establish and maintain a risk action plan based on the risk assessment findings. [UCF Control ID 00705]

Report monitoring statistics to the Board of Directors. [UCF Control ID 00676]

Supporting and supported controls

This control directly supports:

Establish and maintain an information risk threshold metrics standard. [UCF Control ID 01694]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE10.3; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2

US Federal Security Guidance

The organization must measure and report on the percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy. [ISPE10.3, CISWG Information Security Program Elements, January 10,2005]

General Guidance

The purpose of this measurement is to measure the percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]